karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor secrets

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-07-24 11:01:47 +01:00
parent ba55a766ec
commit 15bf209e8c
62 changed files with 214 additions and 158 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
lib/scripts/add-host.sh
View File

@@ -11,11 +11,11 @@ fi
host="$1"
mkdir -p "./hosts/$host/secrets"
ssh-keygen -t ed25519 -f "./hosts/$host/secrets/ssh_host_ed25519_key" -C "root@$host" -N ""
age_key=$(ssh-to-age < "./hosts/$host/secrets/ssh_host_ed25519_key.pub")
mkdir -p "./secrets/hosts/$host"
ssh-keygen -t ed25519 -f "./secrets/hosts/$host/ssh_host_ed25519_key" -C "root@$host" -N ""
age_key=$(ssh-to-age < "./secrets/hosts/$host/ssh_host_ed25519_key.pub")
cat <<EOF > "./hosts/$host/secrets/sops.yaml"
cat <<EOF > "./secrets/hosts/$host/sops.yaml"
keys:
- hosts:
- &$host $age_key
@@ -46,7 +46,7 @@ done
machine_id=$(uuidgen -r | tr -d -)
cat <<EOF > "./hosts/$host/secrets/.decrypted~secrets.yaml"
cat <<EOF > "./secrets/hosts/$host/.decrypted~secrets.yaml"
luks: '$luks'
machineId: $machine_id
EOF
@@ -55,11 +55,11 @@ tmp_age_key="$(mktemp)"
echo "$age_key" > "$tmp_age_key"
export SOPS_AGE_KEY_FILE="$tmp_age_key"
sops --config "./hosts/$host/secrets/sops.yaml" --encrypt "./hosts/$host/secrets/.decrypted~secrets.yaml" > "./hosts/$host/secrets/secrets.yaml"
sops --config "./secrets/hosts/$host/sops.yaml" --encrypt "./secrets/hosts/$host/.decrypted~secrets.yaml" > "./secrets/hosts/$host/secrets.yaml"
unset SOPS_AGE_KEY_FILE
rm -f "$tmp_age_key"
rm -f "./hosts/$host/secrets/.decrypted~secrets.yaml"
rm -f "./secrets/hosts/$host/.decrypted~secrets.yaml"
mkdir -p "./hosts/$host/hardware"
@@ -194,7 +194,7 @@ EOF
sed -i "/nixosConfigurations = {/a\\
$host = mkNixosConfiguration inputs system [ ./hosts/$host ];\n" flake.nix
sed -i "/knownHosts = {/a\\ $host.publicKeyFile = ../../../../$host/secrets/ssh_host_ed25519_key.pub;" ./hosts/common/configs/system/ssh/default.nix
sed -i "/knownHosts = {/a\\ $host.publicKeyFile = \"${inputs.secrets}/$host/ssh_host_ed25519_key.pub\";" ./hosts/common/configs/system/ssh/default.nix
new_entry="| \`$host\` | [hosts/$host/README.md](./hosts/$host/README.md) |"
last_table_line=$(grep -n "^| " README.md | tail -n 1 | cut -d: -f1)

2
lib/scripts/remove-host.sh
View File

@@ -11,7 +11,7 @@ fi
host="$1"
age_key=$(ssh-to-age < "./hosts/$host/secrets/ssh_host_ed25519_key.pub")
age_key=$(ssh-to-age < "./secrets/hosts/$host/ssh_host_ed25519_key.pub")
find . -type f -name "sops.yaml" | while IFS= read -r sops_file; do
sed -i "/ - &$host $age_key/d" "$sops_file"